Spring Security & Keycloak - CORS Configuration

Intro

If you've ever configured a frontend-backend application, you definitely ran into this issue:

✅   GET requests work as expected

❌   POST/PUT/PATCH/DELETE requests return 403 Forbidden even if the security token sent on the requests is correct.

This is happening because of the default CORS configuration.

In this article we're assuming we use a Spring Boot application configured with Spring Security 4.x as a resource server.